What do the fields vhl, tos, id, frag, etc indicate in the snoop output?
To explain the various SNOOP output fields, it is best to use an example.
Sample SNOOP Output: Line 1 | 35455.0: | ethernet1(i) len=74:0010db1c5921->0010db1b44b4/0800 |
Line 2 | | 10.1.10.5->1.1.70.250/1 |
Line 3 | | vhl=45, tos=00, id=49627, frag=0000, ttl=63, tlen=128 |
Line 4 | | icmp:type=8, code=0 |
| | |
Line 1 | 35455.0: | ethernet2(o) len=74:0010db1b44ba->0010db21be61/0800 |
Line 2 | | 10.0.10.5->1.1.70.250/1 |
Line 3 | | vhl=45, tos=00, id=49627, frag=0000, ttl=62, tlen=128 |
Line 4 | | icmp:type=8, code=0 |
Interpreting Line 1:
35455.0 | Timer - this is the number, in seconds, since the last time the firewall was booted. |
ethernet1( i ) | Interface (direction) - where: ( i ) = incoming ( o ) = outgoing |
len=74 | ethernet frame length |
0010db1c5921 | Source MAC address |
0010db1b44b4 | Destination MAC address |
0800 | Protocol Type |
Interpreting Line 2:
10.1.10.5 | Source IP address |
1.1.7.250 | Destination IP address |
1 | Protocol (ICMP in this example) |
Interpreting Line 3:
vhl | version/header length - IP version 4 and 5 32 bit words |
tos | Type of service - this is not precedence or QOS bits set |
id=49627 | Datagram ID |
frag=0000 | IP fragmentation fields in Hex (16-bits) 1-bit = reserved (not used) 1-bit = DF bit 1-bit = more-frags (0 for last fragment, 1 for all others) 13-bit = fragment offset (multiply by 8 for bytes offset)
For example: frag=2000 (0010 0000 0000 0000) more-frag set + 0 offset: this is the first fragment of packet.
frag=4000 (0100 0000 0000 0000) DF set: packet not fragmented.
frag=00b9 (0000 0000 1011 1001) more-frag not set: this is the last fragment. offset field (...0 0000 1011 1001) = 185, - multiply by 8 = 1480 bytes offset. |
ttl=63 | time to live value |
tlen=128 | Total datagram length (bytes) |
Interpreting Line 4:
icmp | Key protocol header fields. |
For traffic incoming to an interface (i.e. ethernet1(i):), the Destination MAC would be the MAC address of the Firewall interface. For traffic outgoing from an interface, the Source MAC is the MAC address of the Firewall interface that traffic is egressing from.